Most CCTV Systems Come With Trivial Exploits

An anonymous reader writes "The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don't give the devices a second thought anymore. But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks. According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess."

Are we surprised?

[lorenlal]

I mean, really? I guess when the designers think of Closed Circuit TV, they're thinking that extends to the management network too eh?

Re:Are we surprised?

[fuzzyfuzzyfungus]

I suspect that there are (at least) two distinct schools of utter fail:

The professionals, with a legacy in CCTV-as-in-actual-closed-circuit-running-on-private-coax, probably have an attitude much as you describe. The classic CCTV systems were dumb as bricks(not that their designers necessarily were, making largely analog, reasonably high bandwidth systems actually work in practice isn't trivial); but that lack of sophistication served as a strong defense against anybody without a physical tap shoved right into the coax. You just don't develop a very strong culture of caring about remote exploits if your engineering history is almost entirely concerned with systems that are incapable of remote anything, whether you like it or not.

Then you have the upstarts(either new companies, or rebadged ODM crap sold by existing ones), who design CCTV systems on the premise that a CCTV camera is basically just an embedded linux board with a camera interface, and a record/playback system is basically just an x86 with some sort of h264 hardware and a lousy frontend. These assumptions are not false, and advances in silicon sensors and cheap embedded computers definitely mean that the price is right; but the standards of security excellence in low-cost embedded gear are absolutely fucking dire... These guys should know better, since their designs are 100% post-ubiquitous-networking in concept; but they just don't get paid enough, or enjoy long enough development cycles, to give a damn.

Re:

[adolf]

Interesting perspective.

I guess that's why I've been installing IP cameras on physically separate networks for all these years.

Unnecessary

[Anonymous Coward]

Interesting perspective.

I guess that's why I've been installing IP cameras on physically separate networks for all these years.

No need to physically separate any more. VLAN's, VRF's, MPLS & Remote Access with VPN's. Easy to maintain and scales nicely up to as many cameras, video-servers etc. you will ever need.

Re:

[NatasRevol]

They're not new...

Re:

[camperdave]

They're not new...

These days they're not even closed circuit.

so?

[gandhi_2]

preconfigured default accounts and passwords

Really? This is supposed to be an issue?

Most of the default user/pass settings are publicly available on manufacturers websites, documentation pamphlets, and 3rd party sites [routerpasswords.com] just for that purpose.

Buffer overflow or sql injection? Ok...
Default passwords are weak? So what?

Re:so?

[lorenlal]

I wish I didn't knee-jerk my reply... Your point is exactly what I'm thinking.

Umm... Yea. I heard that corporate routers and switches come with really weak default protection! Your server will let anyone fire it up and login out of the box!

The horrors... This story is a non-story. If you go buy hardware for some purpose, make sure you configure it. If the story said most CCTV configurations have backdoors, or are easily exploitable even after prescribed lockdown, then we'd have something to work with.

Re:so?

[Anonymous Coward]

Actually, it's kind of sad that it's had to come to this, but most corporate routers and switches no longer have weak default protection. For example, new Cisco switches and routers now ship with a one time use password, so you have to create an account on them when configuring, or you'll never be able to log in again. This really shouldn't be necessary, but we live in a world where there are a lot of people implementing security who don't understand it. Even home routers now often force you to create your own password during setup and disable remote access by default. You could make a pretty convincing argument that the CCTV industry has fallen pretty far behind the times.

Minor side point, but there's a jewelry store below my apartment that uses wireless CCTV cameras... on a WEP protected network... with no logon required to view the stream. I feel bad when I do it, but it's hard not to look.

Re:

[peragrin]

It isn't that they come configured that way it are never changed.

You can literally google model numbers and pull up camera feeds.

How much harder will it be to disable the cameras while you rob a place?

Re:

[DarwinSurvivor]

Just hit the first one in the lense with a paintball gun (or slingshot for the hardcore guys), then take a 10-pack of AA's in series and hook that to the ethernet port connected to the back, that ought to take care of the rest of them (or at the VERY least the switch they all connect to.

Re:

[DarwinSurvivor]

I've honestly never heard of that, do you have a link of some kind I could use to research this further?

Re:

[EvilBudMan]

On problem is all of those X10 cameras installed back in the day in God only knows where that have been long forgotten about. There is no security at all with some devices like this placed in illegal places like motel bathrooms and such.

But the corporate stuff at let's say Walmart, wouldn't have that problem if someone did access the data. What would they see exactly that is of any importance? I would be much more worried about identity theft through servers that have your life history on it like possibly F

Re:so?

[cusco]

I do this for a living, and have been screaming about this to anyone who would listen ever since I got into the physical security field six years ago. I've convinced my company that ALL default passwords on ALL security devices have to be changed if at all possible (on some, like Trango wireless relays, they cant be changed). We are the only company in the Pacific Northwest that does this consistently. I know this for a fact, since I often have to work on systems installed by our competitors.

This is not only an issue on cameras, either. Access control systems, intrusion systems, fire systems, and building control systems all have the same issue. You asked for an example, and here's one that I used to convince our installers that we absolutely HAD to start paying attention to this.

Hospital X has a state-of-the-art security system installed, but default passwords on everything, running on the corporate backbone. Joe Psycho wants to steal his newborn baby from the maternity ward where his ex has just given birth. He can plug into an unattended network port, maybe in a conference room, exam room, or an unoccupied office somewhere on that floor, do a port scan and find everything running on Port 80, scan the ports that the two main infant abduction systems use, and any of the various ports that the major access control systems run on. He has now found every security camera on that subnet, the controller for the access control system, the PLC for the infant abduction system's annunciator, and the communication devices for that system's RFID monitors.

First he logs into the PLC and disables it. Next he can log into the IAS's comm devices and simply change their IP address and it drops offline. Unless the nursing staff just happens to be looking at that screen at that moment they won't know that everything is offline since the annunciator won't raise an alarm. Now to the access control system's ISC, changing the administrator password and the IP address, but not hitting Accept yet. Opening a tab in his browser he can access all of the cameras for that area, again changing the root/admin password and IP address. In a quick cascade of clicking OK he will take every camera and the access control system offline, and leave it in a state where each device has to be physically touched to reset back to the factory defaults. The guard staff will assume that this is probably a network issue, since it's a whole bunch of devices in the same area, and call IT, and by the time they figure out it's an actual attack the baby's in the next county.

Scary enough?

Re:

[cusco]

Horsepuckey. This wouldn't work at our customers (at least not any more), but it certainly would at scores if not hundreds of hospitals around the country. There are only a limited number of players in the security game and many of the components are common to multiple systems (such as Lantronix IP/serial converters), so the knowledge necessary is not an insurmountable hurdle. That knowledge by the way is held by every one of the tens of thousands of guys who have worked installing these systems. I didn

Re:

[tibit]

Oh Lantronix, with firmware so fragile it seems like they had to sprinkle fairy dust on the flash chips just to make it not crumble under its own weight. Agreed.

Re:

[EvilBudMan]

Yes, and as I said before older security systems with a 4 digit pin code without authentication is still in wide use. Simple as heck for anyone to break. Also, cameras with now way to lock them down are everywhere.

Hospitals with all of the ER visits without insurance are strained too with much less security than let's say a WalMart which is wired up like a Vegas casino.

Re:so?

[tibit]

You are under a mistaken assumption that people who know their shit don't go apeshit. Reiser, anyone? So there you go. There's no security through obscurity in those systems. Nurses in the ward? Ha ha. If you look like you belong, you can do anything you please. Good old social engineering. Yeah, I know, nerds usually aren't born with it, but don't count on them never learning. Not if your kid's safety depends on it, yaknow.

Re:

[19thNervousBreakdown]

No, it's not. I've made the exact same case--an exploit that is trivially discoverable is a big exploit.

I'm not saying people who aren't network administrator-turned developer or security guys would do it this way, but I am one, and there's a bunch of us out there. If I wanted to steal a baby, or do anything illegal in a place with computers, plugging into a network jack and running nmap would be the first thing I'd do. Run the scan with paranoid timings, fingerprint every service, pipe the software name +

Re:

[19thNervousBreakdown]

The thing people seem to forget about security by obscurity is that we have computers.

Re:

[EvilBudMan]

Yep, that gives me some other scenarios, since of course they are not going to keep the corporate backbone separate from the cameras, so that convinces me too. I personally would want to keep that separate at least for a small business. In other words don't give all the power to one person as well as setting the passwords and of course even in a tiny business the boss is going to want to watch everything from the internet even if you have dvr's recording every single thing.

I guess most cameras are for theft

Re:

[cusco]

Prevention? No, security video is for forensics. When a simple grocery store might have 20-50 cameras no human being is going to be able to watch any appreciable percentage of them. I forget the exact numbers, but a single human being can actually pay attention to something like 12 cameras for 15 minutes before their brain turns to mush and they need a 5 minute break. Even in a grocery store the security video is more for insurance purposes than anything else, catching the slip/fall con artists, the wor

Re:

[cusco]

Oh, and no, it's not normally a seperate network unless it's a really large installation. At best the cameras might be on their own VLAN, but that's to segregate the traffic rather than as a security measure. It's too damn expensive to pull CAT6/fiber and install and configure a switch just for the three cameras that you might have in one area. Even when it is a seperate network the switches are almost never configured securely, with every open port unlocked and available for anyone to plug into and snif

Re:

[EvilBudMan]

What is wrong with just using wireless instead of dragging more cable? Of course you are talking to a small business person. I'm just wondering why an N-based wireless system couldn't be just as secure in a small place if configured properly or is this not yet possible? If jamming is an issue, I think there are products out there but I am not sure? I know the old ones are still around and not secure at all but it seems like they could be.

http://www.cisco.com/en/US/products/ps9948/index.html [cisco.com]

Just a dumb quest

Re:

[berlinerkindl]

While I agree changing the passwords is the first step in deployment, but (as to your example) why would you install your security devices on the same network as the rest of the building? A little network isolation goes a long way, restrict access to that network to your security personnel. Running an entire hospital on a flat network topology would seem to me to be fairly retarded on the part of whoever is engineering your deployments.

Also in the news

[Chrisq]

Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box", allowing you to configure them securely if needed. If they didn't they would get a lot of returns and support calls from people who didn't read the manual.

Re:

[RawsonDR]

Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box"

Not Wifi dildos...

What does CC mean?

[Infiniti2000]

Are they taking the CC out of CCTV? What am I not understanding about this term? I guess it may have evolved to not be closed circuit any more, but then it should be called something else. Regardless, a "default" with gaping vulnerabilities should not surprise anyone.

Re:What does CC mean?

[Anonymous Coward]

CCTV, like the rest of the electronic security biz, is going IP based in a big way now. Keep in mind most people involved with security are, pardon the expression, "hairy arsed" blue collar electrician types. They can do physical wiring ok, but do not have the aptitude for "IT" stuff, which they are positively phobic to.

As you can imagine, they can't even do the basics. Most of that stuff ends up on unfirewalled networks with the default passwords. They see it as 'if it works leave it alone', don't touch anything which might break it. If you're lucky it's a separate security network from the rest of the company, but not always.

I used to work for a company that made a particular PC-based security product (hence posting AC) and for pretty much every system we sold nobody bothered to change the default p/w. Our product was multi user, but they would only use the one default account (with the default p/w) which had engineer access rights for reconfiguring the entire system. The people who bought and installed our system just let the operators (who have no business changing settings) use that account.

Security is moving towards being more of an IT field now, but I wouldn't advise that the /. crowd look for a job there. They won't pay you an IT salary and the people you have to work with will drive you mad (ok, that last bit is true of IT in general!), which is why I no longer work there.

Re:

[cusco]

I came to the physical security field after ten years of server/desktop administration, and can completely confirm what the AC just posted. Our company makes a point of changing default logins for all devices, **IF** we can get the customer to agree. It's distressing to see how many of them will take that password and changed it BACK to the factory default.

Out of all the IP camera manufacturers only Axis seems to get the idea that a security camera should be at least minimally secure. They are the o

This again?

[Dunbal]

Did someone else just learn how to google for CCTV feeds? Best one I ever found was at a dog shelter or animal hospital. Cute little doggies 24/7, and none of the smell. Of course I have more fun with my own dog, but it was a good find.

Re:This again?

[metalgamer84]

Just wait till someone stumbles onto the many webpages hosting hundreds of Trendnet CCTV IP addresses.

http://pastebin.com/sSs79RTd [pastebin.com]

Hey look at that, I even made it easy for you...

Re:

[imcdona]

There is always public webcam [slashdot.org] sites where a simple right click copy image source will glean countless unprotected camera's.

Re:

[imcdona]

There is always opentopia.com [opentopia.com] where a simple right click, view source on the camera image will glean many unprotected webcams.

Re:

[YouWantFriesWithThat]

i once found a harbor in some asian city, wooden fishing skiffs intermingled with heavy cargo ships. they were using an off-the-shelf camera to monitor traffic from a bridge, no passwords, and pan/tilt/zoom were enabled. i moved the camera over to watch people on the bridge, and the actual operator kept moving it back. he/she must have thought the thing was possessed.

Re:This again?

[Baloroth]

Or he knew what was going on because it happened all the time and didn't give a shit because he wasn't paid to care (quite likely).

Re:

[lomedhi]

I disagree. It makes a good point. Your comment, however....

Banal?

[alphax45]

Who uses this word? I had to look it up and even Wikipedia re-directs it: http://en.wikipedia.org/wiki/Banal [wikipedia.org] - Goes to the page on "Predictability" with the note "(Redirected from Banal)"

Re:Banal?

[kermidge]

banal - with a small "b": lacking originality, freshness, or novelty

Using most generic search engines with "define:banal" with or without the colon shoulda pulled that up for you. I think I last used it in conversation a year or two ago. If you like banal, you should check out "jejune."

Re:

[arth1]

Out of curiosity, where are you? "Banal" is a common enough word in English.
I would also recommend that you look up words in Wiktionary instead of Wikipedia. Not even a small fraction of English words warrant a Wikipedia article, and if you limit your vocabulary to those words, it will be arrant uneath to converse you.

Re:

[alphax45]

Out of curiosity, where are you?

I work in Toronto, live in the town of Ajax just east of there.

Re:

[hoggoth]

I just had to look up Ajax.
Apparently he is a Greek hero. Fancy pseudo-intellectual sprinkling Greek mythology into your conversations...

Re:

[AliasMarlowe]

Out of curiosity, where are you?

I work in Toronto, live in the town of Ajax just east of there.

I used the word "banal" on numerous occasions (spoken and in email or documents) when I lived in Toronto, and the permanent residents seemed to understand it. Other people even used the word in my hearing, and used it correctly. Their vocabulary was not too bad for that side of the Atlantic. Of course, most of us lived in the Western and Northern suburbs rather than in Ajax...

Re:

[camperdave]

Hi fellow GTA-ian. I live out by the zoo: Meadowvale and Sheppard area.

Re:

[bmo]

>Who uses this word?

Plenty of people.

Look out for the anthropophage behind you.

--
BMO

Only a problem to dumb IT.

[Lumpy]

If your Security CCTV system is on the net or has the ports open to the net, then your IT guy is a moron and needs to be fired.

VPN in then connect to the Security cameras.. Yes it even works with the iPhone apps for the CCTV systems. Anything else is just proof of incompetence.

Re:

[drinkypoo]

Closing the doors to the world because you are using an inferior product or because your IT people is retarded is not a solution.

It is a fact that disabling front-facing ports reduces attack surface. You ain't perfect, you could make a mistake. Clearly you knew what you were saying was nonsense, because you left your comment anonymously. I'd be afraid to have my name associated with that statement too, if I ever exercised any restraint on slashdot beyond not breaching NDAs.

Re:

[drinkypoo]

Guess who left his wall publicly visible. Not very wise of you Martin.

Actually, I post friends-only and then I go back through my activity log and publicize the things I intended to share. Guess what? I'm on Google+ too.

And you completely missed the point about vaccines. The answer to your little meme picture is "Because they are never 100% effective, dipshit, so your sick kid can still infect mine."

Indeed, many of them are pretty much utterly ineffective. I'm not anti-vaccine, I'm anti-not-asking-questions.

Re:

[Lumpy]

And a free software package, Zoneminder, is still 800% better than any product your company makes. Why? Because I can base it on a secure BSD or linux distro that will get updates for security holes on a regular basis. Your product, being china made will never have security releases to fix holes in the underlying Linux OS.

I have seen and dealt with the junk companies like yours make, Running incredibly old kernels and TCP stacks that have known exploits. The tip off that a CCTV recorder is junk?

Re: Zoneminder

[drainbramage]

Pretty much spot on.
Also not that the china turnkey systems run Linux but do not allow you to view them on Linux.
However, why no audio support in Zoneminder?

Re:

[Lumpy]

There is audio support in zoneminder,. It is currently a early beta plug in. but very very few security installs use audio because of state wiretapping laws prohibit it so it was not a priority of the developers.

Of course they do

[queequeg1]

How else could the IMF team snap a little doodad on the cable and magically get a high-def feed to the most sensitive parts of every building? Duh.

a lot of security installers are not IT techs

[Joe_Dragon]

a lot of security installers are not IT techs
http://thedailywtf.com/Comments/Just-One-Port.aspx [thedailywtf.com]

Just "Exploited" It Last Night

[clam666]

I noticed this just last night.

I live in one of those large, over-priced "planned communities" with the town centre, the gym/tennis courts/water park area, etc. They offer free, open WiFi for people in the gym area, so I was checking some mail and decided to do a little network port scanning and saw a couple dozen systems, printers, routers and such on the network, which I thought was odd, as usually those kind of things aren't on the same network as all the free WiFi junk.

I'm just idly curious as to what is around, and came across some unusually named servers (ie: default out of the box) and was just connected via web and it brought up the entire security camera console.

Now there was no "exploiting" going on at all. I just connected to a publically accessible (and offerred) free WiFi point, and browsed a computer name using HTTP, and there I was looking at 4 streaming cameras through a web console, at the gym. Another server (just sitting on the network as well) had all the external cameras for the doors and walkways.

Now this wasn't just a monitoring console, but the full record/stop recording, pan, zoom, admin console. Sitting out completely available, for anyone to just ping and do whatever they wanted.

I've honestly never seen anything like it. There wasn't even a password or any security. Not even a "you shouldn't be here" pop up or anything.

Has anyone ever seen a situation like this? Where a security console wasn't at least locked down to a particular MAC address for monitoring or IP restricted or, God forbid, not on the same network as your customers to randomly browse to?

Re:

[cusco]

I may well be able to guess what the manufacturer's name is, we were forced to install one of those abortions at a customer site. We complained every step of the way, but they said that this was their nationwide corporate standard. It's very likely that the property managment company your community uses installs the exact same system the exact same way at every site they manage. Property management companies tend to be really cheap (the majority, not all of course). They probably have some underpaid kid

Re:

[bmo]

After years of Not believing movies where the CCTV was so easily manipulated, you are telling me I was ignoring a training course in burglary?

It's been this way for 10 years or more. Seriously, I forgot the first time I found a list of these. It's been this way ever since they put apache web servers on "CCTV" cameras and stuck them on the Internet. With PNP settings on your router turned on, you don't even have to open the port manually.

This is a non-story and is obvious to fucking everyone who has so mu

Exploits != Vulnerabilities

[Shad0wFyr3]

These systems come with vulnerabilities, not exploits. Exploits are the things you throw at a vulnerability to make the device bend to the your will.

Re:

[0123456]

My IP camera came with an undocument passwordless root login if you telnet to a particular port. Does that count as an exploit or a vulnerability?

Certainly someone must have pointed out it because it was removed in the firmware update.

Re:

[Shad0wFyr3]

That's still a vulnerability. In that case, the exploit is merely your keyboard where you log in to that paswordless root account through that particular port. The exploit is the way that you leverage an existing vulnerability (the vulnerability, in your case, being the manufacturer-provided backdoor).

How else...

[vanyel]

...are the heroes and villains in the movies supposed to keep an eye on each other?

Default Password List

[IPCamera]

Yes,you are right! Many ip cameras [ipcamerasupplier.com] all have default passwords.If consumers didn't change the passwords,that's very dangerous! Here is a default password list [ipcamerasupplier.com] of some kinds of ip cameras.